As part of the University’s ongoing effort to reduce institutional risk and better safeguard University data, we are tightening controls for resource mailboxes at UNC.
A resource mailbox may also be referred to as a room calendar or a shared calendar. RMBs are used for a variety of purposes at UNC, including:
- Managing scheduling for shared spaces (conference rooms, hoteling spaces, etc.)
- Managing scheduling for shared pieces of equipment
- Managing scheduling for a team
Currently, when a resource mailbox is created, the person requesting it (and anyone else they designate) becomes the owner. This gives them access to change the details shared on the calendar and/or publish the calendar – even if sensitive information is being unintentionally shared. We are making changes to protect the University from this recently identified risk in our environment.
To mitigate the risk of exposing sensitive information, ITS is making three changes to resource mailboxes:
- If calendar details beyond availability are shared, the sharing will be set instead to “availability only.”
- If a calendar is published with a public URL, it will be un-published.
- Current owners and those with full access will become delegate editors instead.
Impacts
- The change to calendar event detail visibility is the most immediately impactful, and potentially confusing, part of this change. The default setting is to share only availability (free/busy) with everyone at UNC, but many calendars have been configured to share more details, like titles and locations. After this change, only people who have been granted explicit access will see event details. All other users will see only if the calendar is free or busy.
- The change to unpublish all public calendar URLs is the most straight forward – calendars are not published to the web by default. Only a small minority of calendars are currently published with a public URL.
- The transition of owner and anyone with full access roles to delegate editors will not change any permissions within the calendar itself. However, it removes the ability to publish the calendar, change the details shared in the calendar, or make changes to the mailbox itself.
Exception requests
Because we know there are legitimate business cases for some of these settings, you may request an exception by March 28, 2025. The senior IT administrator in your unit(s) will review requests after the March 28 deadline and ITS will begin mitigation work on April 7.
Before you request an exemption, please consider the following points:
- The default availability of resource mailboxes is viewable by anyone at UNC – everyone can see when resources are free. Be sure that there is a business case to show additional details.
- We are not changing permissions for anyone who has direct access to the calendar (unless that access is “owner”). We recommend you review who has direct access to your calendars.
We recognize this may be an impactful change to your schools and departments and we appreciate your support as we implement these critical institutional safeguards.